Black Hat: Network Compromise by Taking Out the Router

LAS VEGAS—Researchers demonstrated how they could use Javascript to remotely compromise a network router at the Black Hat security conference.

During the "Blended Threats and JavaScript: A Plan for Permanent Network Compromise" session on Thursday, senior security researchers Joshua Brashars and Phil Purviance of AppSec Consulting discussed the steps they took to remotely hack a Linksys router. The attack relied on the victim running a modern browser capable of running HTML5 applications.

The steps were pretty straightforward: lure the victim into visting a malicious website, which would execute JavaScript to instruct the browser to scan the local network for connected devices. Then, select a device to target and launch a brute-force attack to uncover the administrator credentials. Finally, download a malicious firmware on to the device and install it. With that, the device falls completely under the attacker's control and the network has been compromised.

"You've essentially turned these SOHO devices into a full-blown Linux attack framework, and, generally speaking, it will still look and act the same way," Brashars told attendees.

Users tend to ignore what is happening with their routers so long as the devices keep doing their jobs, Brashars said. It is also harder to tell when network devices are compromised, and there aren't security products that can notify users if they are.

Step 1: Trick Users into Launching the AttackAll that's necessary to launch the attack is to "run a small piece of JavaScript" to kick things off, Purviance said. That's "easy enough," Brashars noted.

Users can be directed to specially crafted sites via malicious advertisements, creating a fake page to mimic file sharing sites, online surveys promising iPads and other great surveys, links on social networks, or just plain search engine optimization.

Step 2: Identify the TargetThe next step, or finding what devices are on the network is actually not that hard, researchers said. There are several scanning applications freely available which can query local IP addresses on the network to discover what is connected. JS-Recon, jslanscanner, and sscan are freely-available JavaScript applications that can enumerate local network devices through a victim's browser and use device fingerprinting techniques to determine the type, make and model of those devices.

"If you're able to find out what device they have, you're able to make a pretty good guess about what their password would be," said Purviance.

Home users, small business owners, careless QA engineers, and regular engineers can sometimes forget to change default password, or they chose not to in order to get devices deployed rapidly, Brashars said. There are sites such as RouterPasswords.com which also list default passwords for network devices, making it easy to lookup the information without launching a brute-force attack.

For the demonstration, the researchers used a widely available, but older, type of Linksys router. The attack requires the router to still be using default passwords or an insecure password. Cisco has changed the setup process for the latest Linksys models to force users to change the default password to a fairly strong one. For older routers, though, the attack assumes that users forgot to change the password.

Step 3: Install New FirmwareAfter figuring out the password, the same malicious website downloads a rogue firmware file to the user's browser and then flashes the router with without requiring any user interaction. This step is possible because the site exploits HTML5 features XMLHttpRequest Level 2 (XHR2), Cross-Origin Resource Sharing (CORS) and the File API.

"We're replacing an operating system on a network device and taking complete control of it," Purviance said.

The compromised router gives attackers the ability to monitor everything that passes through the device, Brashars said. Attackers can sniff track, launch man-in-the-middle attacks, setup a rogue access point, inject IFRAME and payloads into HTTP requests and responses, disable logging, and opening up an SSH tunnel, among others.

Automatic Renewal Program: Your subscription will continue without interruption for as long as you wish, unless
you instruct us otherwise. Your subscription will automatically renew at the end of the term unless you authorize
cancellation. Each year, you'll receive a notice and you authorize that your credit/debit card will be charged the
annual subscription rate(s). You may cancel at any time during your subscription and receive a full refund on all
unsent issues. If your credit/debit card or other billing method can not be charged, we will bill you directly instead. Contact Customer Service